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November 30, 2006. 
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(1) Real Party in Interest 

A statement identifying by name the real party of interest is contained in the brief. 

(2) Related Appeals and Interferences 

The examiner is not aware of any related appeals, interferences, or judicial proceedings which 
will directly affect or be directly affected by or have a bearing on the Board's decision in the pending 
appeal. 

(3) Status of Claims 

The statement of the status of claims contained in the brief is correct. 

(4) Status of Amendments After Final 

No amendment after final has been filed. 

(5) Summary of Claimed Subject Matter 

The summary of claimed subject matter contained in the brief is correct. 

(6) Grounds of Rejection to be Reviewed on Appeal 

The appellant's statement of the grounds of rejection to be reviewed on appeal is correct. 

(7) Claims Appendix 

The copy of the appealed claims contained in the Appendix to the brief is correct. 



(8) Evidence Relied Upon 

a) Kramer et al. US Patent #5,414,852. Newly cited and presented. 
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b) Ukelson, US Patent #6,338,096. Newly cited and presented. 

c) Desai et al. US Patent #6,820,204. Newly cited and presented. 

d) Erickson et al. US Publication #2003/0081791. Newly cited and presented. 

e) Chen etal. US Publication #2003/0191703. Newly cited and presented. 

f) The American Heritage Dictionary of the English Language: Fourth Edition, definition of 
"access", 2000. Newly cited and attached. 

(9) Grounds of Rejection 

The following ground(s) of rejection are applicable to the appealed claims: 

Claim Rejections - 35 USC § 102 

The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis 
for the rejections under this section made in this Office action: 
A person shall be entitled to a patent unless - 

(e) the invention was described in (1) an application for patent, published under section 122(b), by another filed 
in the United States before the invention by the applicant for patent or (2) a patent granted on an application for 
patent by another filed in the United States before the invention by the applicant for patent, except that an 
international application filed under the treaty defined in section 351(a) shall have the effects for purposes of this 
subsection of an application filed in the United States only if the international application designated the United 
States and was published under Article 21(2) of such treaty in the English language. 

Claims 5, 15, 19, 21, 29-30, 32-37 rejected under 35 U.S.C. 102(e) as being anticipated by Chen 
et al, US Publication #2003/0191703 (Chen hereinafter). 

As per claim 1 5, Chen teaches the invention as claimed including a method of controlling access 
to user specific information for use in a network computer system including a web-services provider, a 
user of a service provider by the web-services provider, and a client of the web-services provider, said 
method of controlling access to the user-specific information, Chen's teachings comprising: 
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operatively receiving at the web-services provider a request from the client to access the certain 
user-specific information in the data store wherein the web-services provider maintaining a data store of 
user-specific information associated with the user, said user-specific information accessible by the user 
and having access by the client controlled by the user, said client seeking access to certain of the user- 
specific information in the data store (Paragraph 0085; 0136. Client account data is stored on data 
aggregation system. Paragraphs 0137-0138. Web server receives request from third parties to access 
client account data.); 

generating an intended use request by the client of the certain user-specific information in the 
data store (Paragraph 0138. Interested party sends login request comprising name, id, and password. 
Paragraph 0139. Identification/authentication used to identify intentions of accessing specific client 
accounts.); 

determining an allowed level of access permitted by the user (Paragraph 0138. Interested party 
identification and authentication is stored. Paragraph 0139. Access permission page indicates client 
accounts accessible by requesting interested party. Paragraphs 0164; 0171 . Set of client access 
permissions. Paragraph 0172. Select access level.); 

comparing the generated intended use request with the determined allowed level of access 
(Paragraph 0139. Determine if interested party's identification/authentication is valid.); 

invoking a consent engine in response to the client's request if the generated intended use request 
is outside the allowed level of access, said consent engine informing the user of the client's request to 
access the certain user-specific information in the data store and inviting the user to permit or to deny the 
client's request to access the certain user-specific information in the data store (Paragraphs 0171; 0175- 
0176. Client may be prompted to change (or grant) interested party access permissions.); and 

completing the request from the client to access the certain user-specific information in the data 
store when the generated intended use request by said client of the certain user-specific information is 
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within the determined allowed level of access by the user (Paragraph 0139. If 

identification/authentication information is valid, permissions page including accessible client accounts 
are transmitted.). 

As per claim 29, Chen teaches the invention as claimed including a system for controlling access 
to user-specific information in a network computing environment, Chen's teachings comprising: 
a web-services provider (Paragraph 0136. Data aggregation system.); 

a user of a service of the web-services provider, the web-services provider maintaining a data 
store of user-specific information associated with the user (Paragraphs 0136; 0139. Client account data.), 
said user-specific information accessible by the user and having access by the client controlled by the user 
(Paragraph 0138. Interested party requests to access client account data.), and a set of default access 
preferences defining a list of default access permissions allowed by the user (Paragraphs 0164; 0171- 
0172. Access level set by client.); 

a client of the web-services provider, said client generating a request to access to certain of the 
user-specific information associated with the user said request identifying an intended use by the client of 
the certain user-specific information in the data store (Paragraph 0138. Interested party sends login 
request comprising name, id, or password. Paragraph 0139. Identification/authentication identifies 
intentions of accessing specific client accounts.); 

an access control engine operatively receiving the client request to access the certain user-specific 
information and dynamically creating an access control rule by comparing the set of default access 
preferences with the intended use by the client, said access control rule granting the requested access by 
the client to the certain user-specific information if the intended use of the client of the certain user- 
specific information is within the list of default access permissions defined by the set of default access 
preferences allowed by the user (Paragraph 0139. If identification/authentication information is valid, 
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permissions page including accessible client accounts are transmitted. Paragraph 0164. Access level is 
assign to interested party.); and 

a consent engine generating an option list in response to the client's request for user-specific 
information having at least one entry based on the intended use by the client of the user-specific 
information in the data store (Paragraphs 0138; 0144. Interested party requests access client account.), 
said consent engine displaying on the display interface of the network communication device an option 
menu reflecting the generated option list, said option menu prompting the user to accept or reject at least 
one option displayed on the option menu using the selection interface of the network communication 
device (Paragraphs 0171; 0175-0176. Client may be prompted to change (or grant) interested party 
access permissions. Provides list of potential interested parties whom the client may choose to grant 
access.). 

As per claim 5, Chen teaches the system of claim 32 wherein creating the access control rule 
comprises updating a list of permissions such that said list of access permissions reflects whether the user 
accepted or rejected the at least one option (Paragraphs 0174; 0175. Update client permission settings.). 

As per claim 19, Chen teaches the method of claim 15 further comprising denying the client 
access to the requested certain user-specific information in the data store if the determined intended use is 
outside the allowed level of access (Paragraph 01 39. If identification/authentication is valid, interested 
party is given access. Paragraph 0 1 7 1 . "no access" level.). 

As per claim 21, Chen teaches one or more computer-readable media having computer- 
executable instructions for performing the method recited in claim 15 (Paragraph 0053. Data aggregation 
system comprises servers application software instructions.). 
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As per claim 30, Chen teaches the system of claim 29 further comprising a network 
communication device having a display interface and a selection menu and wherein the user 
communicates with the web-services provider via the network communication device (Paragraphs 0172; 
0174; 0176. User selects access level with web server.). 

As per claim 32, Chen teaches the system of claim 29 wherein the network communication device 
generates a selection signal indicative of whether the user accepted or rejected the at least one option 
displayed on the option menu (Paragraphs 0171; 0174; 0176. Grant interested party access and select 
access level. Send client permission settings to web server.). 

As per claim 33, Chen teaches the system of claim 29 wherein the consent engine provides a 
consent signal having a parameter indicative of whether the user accepted or rejected the at least one 
option and wherein the access control engine receives the consent signal, said access control engine 
granting the requested access if the consent signal indicates that the user accepted the at least one option 
(Paragraphs 0171; 0174; 0176. Grant interested party access and select access level. Send client 
permission settings to web server.). 

As per claim 34, Chen teaches the system of claim 33 wherein the access control engine denies 
the requested access if the consent signal indicates that the user rejected the at least one option 
(Paragraphs 0171; 0176. Delete potential interested parties. Set "no access" level for client access 
permissions.). 

As per claim 35, Chen teaches the system of claim 29 further comprising an authentication engine 
authenticating a digital identity of the user and wherein the access control engine denies the requested 



Application/Control Number: 10/084,859 Page 8 

Art Unit: 2154 

access if the digital identity of the user is not authenticated by the authentication engine (Paragraph 0139. 
Determine if authentication is valid.). 

As per claim 36, Chen teaches the system of claim 29 further comprising a client intentions 
document identifying the intended use by the client of the user-specific information in the data store 
(Paragraph 0138. Request may comprise name, identification umber, or password.). 

As per claim 37, Chen teaches the system of claim 36 further comprising: 

a network communication device having a display interface and a selection menu and wherein the 
user communicates with the web-services provider via the network communication device (Paragraphs 
0042; 0172. Client terminal may be a web-enabled personal computer to display graphical user interface. 
Cljent user selects access level.); and 

a consent engine retrieving the client intentions document and generating an option list having at 
least one entry therein based on the intended use identified in the intentions document, said consent 
engine displaying on the display interface of the network communication device an option menu 
reflecting the generated option list, said option menu prompting the User to accept or reject at least one 
option displayed on the option menu using the selection interface of the network communication device 
(Paragraphs 0175-0176. Client terminal displays list of potential interested parties. Client chooses to 
grant access.). 

Claim Rejections - 35 USC § 103 

The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all obviousness 

rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set forth in 
section 102 of this title, if the differences between the subject matter sought to be patented and the prior art are 
such that the subject matter as a whole would have been obvious at the time the invention was made to a person 
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having ordinary skill in the art to which said subject matter pertains. Patentability shall not be negatived by the 
manner in which the invention was made. 

Claims 3, 10, 13, 16-17 are rejected under35 U.S.C. 103(a) as being unpatentable over Chen, in 
view of Kramer et al, US Patent #5,414,852 (Kramer hereinafter). 

As per claims 3, 16, 17, Chen teaches of a client's request to access the certain user-specific 
information in the data store. However, Chen does not specifically teach the system of claim 29 wherein 
the client's request identifies a desired subject matter to be accessed and a method of accessing the 
desired subject matter and wherein comparing the set of default access preferences with the intended use 
by the client further comprises determining if the set of default access preferences permits the client to 
access the desired subject matter; and determining if the set of default access preferences permits the 
identified method of accessing the desired subject matter. 

Kramer teaches of a requesting identifying a data object, i.e. desired subject matter, and the type 
of access for the data object (Col 5, lines 25-31) and determining if access rules permits the identified 
type of access of the data object (Col 4, lines 1-5; Col 5, lines 28-34). 

It would have been obvious to one of ordinary skill in the art at the time the invention was made 
to combine the teachings because the teachings of Kramer to identify a desired subject matter to accessed 
and a method of accessing the desired subject matter, and determine if access rules permits the identified 
method of access with the desired subject matter would improve the teachings of Chen by providing a 
user with additional access control of user-information including setting different types of secure access 
to specific information. 

As per claim 10, Chen teaches of requesting access to user-specific information. However, Chen 
does not specifically teach the system of claim 29 wherein the client identifying a request form of access 
to the user-specific information in the data store and the access control engine granting the requested 
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access to the certain user-specific information in the data store if the user has granted said form of access 
requested by the client comprises permitting the client to read the requested user-specific information in 
the data store and permitting the client to write the requested' user-specific information in the data store. 

Kramer teaches of sending a request comprising a request type to a data object, wherein the data 
object may be any type of object, and granting the access to read the data object and write the data object 
(Col 2, lines 41-46; Col 4, lines 1-5, 52-55; Col 5, lines 26-41). 

It would have been obvious to one of ordinary skill in the art at the time the invention was made 
to combine the teachings because the teachings of Kramer to grant a form of access requested by the 
client comprising permitting a client to read the requested information and permit the client to write the 
requested information in the data store would improve the teachings of Chen by providing a user with 
additional access control of user-information including setting different types of secure access to specific 
information. 

As per claim 13, Chen teaches the system of claim 29 wherein creating the access control rule to 
permit the client to have access to the certain user-specific information in the data store if the default 
access permissions permit the identified intended use comprises creating the access control rule to permit 
the client to read the certain user-specific information in the data store (Paragraphs 0139; 0172; 0175. 
User selects access level for interested party. Interested party is granted access to client account data.). 
However, Chen does not specifically teach of creating the access control rule to permit the client to write 
the certain user-specific information in the data store. 

Kramer teaches of creating an access control rule to permit clients to write data objects, wherein 
data objects may be any type of object (Col 2, lines 42-45; Col 4, lines 1-5, 52-55). 
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It would have been obvious to one of ordinary skill in the art at the time the invention was made 
to combine the teachings because the teachings of Kramer to create an access control rule to permit 
clients to write data objects would improve the teachings of Chen by providing additional administrative 
control of user-information, thus allowing a user to set various access privileges to user-information. 

As per claim 18, Chen teaches of the method of claim 17 further comprising: creating an access 
filter defining an extent to which the user permits access to the type of information within the certain 
user-specific information in the data store; and wherein completing the request from the client to access 
the certain user-specific information in the data store when the generated intended use request is within 
the determined allowed level of access further comprises: applying the access filter to the certain user- 
specific information in the data store to create a filter information set; and permitting the client to access 
the filtered information set (Paragraph 0164. User assigns access level to a given interested party. Levels 
of access includes no access, summary view access, account detailed view access.). However, Chen does 
specifically teach of permitting a form of access of the user-specific information in the data store. 

Kramer teaches of sending a request comprising a access type to a data object, wherein the data 
object may be any type of object, and granting the access type to the data object, e.g. read and write (Col 
2, lines 41-46; Col 4, lines 1-5, 52-55; Col 5, lines 26-41). 

It would have been obvious to one of ordinary skill in the art at the time the invention was made 
to combine the teachings because the teachings of Kramer to permit a form of access to specific 
information in the data store would improve the teachings of Chen by providing a user with additional 
access control of user-information including setting different types of secure access to specific 
information. 



Application/Control Number: 10/084,859 Page 12 

Art Unit: 2154 

Claim 6 is rejected under 35 U.S.C. 103(a) as being unpatentable over Chen, in view of Ukelson, 
US Patent #6,338,096 (Ukelson hereinafter). 

As per claim 6, Chen does not specifically teach the system of claim 29 wherein the client 
determining if the client has a local copy of the certain user-specific information in the data store before 
transmitting the request, the client retrieving said local copy of the certain user-specific information if the 
local copy is available, the client determining if said local copy of the certain user-specific information is 
current, and transmitting the request only if said local copy of the certain user-specific information is not 
available and not current. 

Ukelson teaches of determining if a client has a local copy of information in the data store before 
transmitting the request (Col 9, lines 9-14 ), the client retrieving the local copy of the information if the 
local copy is available (Col 9, lines 15-17), the client determining if the local copy of the information is 
current (Col 9, lines 1 7-24), and transmitting the request only if the local copy of the information is not 
available and not current (Claim 6; Col 9, lines 21-23, 35-38). 

It would have been obvious to one of ordinary skill in the art at the time the invention was made 
to combine the teachings because the teachings of Ukelson to determine if a client has a local copy of 
information in the data store before transmitting the request, the client retrieving the local copy of the 
information if the local copy is available, the client determining if the local copy of the information is 
current, and transmitting the request only if the local copy of the information is not available and not 
current would improve the system of Chen by reducing the transmission of data over the network and 
delay associated with receiving data (Col 3, line 66-Col 4, line 2), and allowing only authorized access to 
information on the network (Col 9, line 45-49). 
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Claim 9 is rejected under 35 U.S.C. 103(a) as being unpatentable over Chen, in view of Desai et 
al, US Patent #6,820,204 (Desai hereinafter). 

As per claim 9, Chen does not specifically teach the system of claim 29 wherein the access 
control engine determining if the client has an access subscription right to the certain user-specific 
information in the data store and the access control engine permitting the client to have access to the 
certain user-specific information in the data store if the client has the access subscription right to the 
certain user-specific information in the data store. 

Desai teaches of registering to access user profile data, wherein registered third parties receive 
user profile data (Col 9, lines 1-4, 42-52). 

It would have been obvious to one of ordinary skill in the art at the time the invention was made 
to combine the teachings of Chen and Desai because the teachings of Desai for registered clients to 
receive user information, i.e. subscribe to user information, would improve the system of Chen by 
allowing interested parties to receive updates to the user information and may subsequently use user ■ 
information to functions such as processing electronic transactions (Col 9, lines 40-47, 53-67). 

Claims 1 1-12 are rejected under 35 U.S.C. 103(a) as being unpatentable over Chen and Kramer, 
in view of Erickson et al, US Publication #2003/0081791 (Erickson hereinafter). 

As per claim 1 1, Chen teaches of permitting the client to read the requested user-specific 
information in the'data store (Claim 1). However, Chen does not specifically teach the system of claim 
10 wherein transmitting a copy of the accessed certain user-specific information to the client in a SOAP 
message. 

Erickson teaches of transmitting messages according to the SOAP protocol (Page 2, Paragraph 

21). 



Application/Control Number: 10/084,859 Page 14 

Art Unit: 2154 

It would have been obvious to one of ordinary skill in the art at the time the invention was made 
to combine the teachings Chen, Kramer, and Erickson because the teachings of Erickson to use the SOAP 
protocol in sending messages would improve the efficiency of the system of Chen and Kramer by 
providing a simplified protocol for exchanging structured information on the web (Microsoft Computer 
Dictionary, Fifth Edition, 2002). 

As per claim 12, Chen and Kramer taught of permitting the client to write certain user-specific 
information in the data store. However, Chen does not specifically teach the system receiving at the web- 
services provider a SOAP message from the client identifying the certain user-specific information and 
writing the identified certain user-specific information in the data store. 

Erickson teaches of transmitting messages according to the SOAP protocol (Page 2, Paragraph 

21). 

It would have been obvious to one of ordinary skill in the art at the time the invention was made 
to combine the teachings of Chen, Kramer, and Erickson because the teachings of Erikson to use the 
SOAP protocol in sending messages would improve the efficiency of the system of Chen and Kramer by 
providing a simplified protocol for exchanging structured information on the web (Microsoft Computer 
Dictionary, Fifth Edition, 2002). 

(10) Response to Argument 

Appellant argued that: 

1) Regarding claim 15, Chen et al. fails to disclose or teach "generating an intended use request 
by the client of the certain user-specific information in the data store". 
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Page 15 



In response, Examiner respectfully disagrees that the features are not taught by Chen. Firstly, the 
American Heritage Dictionary, 2000, defines "access" as "a means of making use of or "the ability to 
make use of. Secondly, Chen teaches, 

i) "at least one embodiment of the invention may also be configured to provide access to client 
account data by interested parties such as, but not limited to, the financial advisors of a client 
investor." (Paragraph 0136) 

ii) "the user may enter the identification or authentication information into the appropriate data 
entry fields of the login HTML or XML page and cause the interested party terminal to transmit 

' the entered information. . . In response to receiving the interest party login request the data 
aggregation system may validate the received interested party request ... (Paragraph 0138). 

iii) "The data aggregation system may validate the received interested party request at 815 by 
comparing the name, identification number, or password information received in the login request 
to corresponding information maintained by the data aggregation system" (Paragraph 0138) 

iv) "If the database server determines that the interested party identification/authentication 
information is valid, then the web server may generate and transmit client access permissions 
page to the interested party terminal at 820... the client access permissions page may include a 
list of the client accounts accessible by the requesting interested party using the data aggregation 
system (Paragraph 0139). 

According to quoted section (i)-(iv) of Chen, a login request is sent to access client account data 
(client account data considered as the claimed client-specific information). It is inherent that the login 
request is generated in order for the login request to be sent, and thus, Chen teaches of generating a login 
request to access client account data. As shown by the American Heritage Dictionary, "access" is defined 
as "make use of, and based on the definition of "access", Chen's teachings can be interpreted as 
generating a login request to "make use of the client-specific information. The login request serves a 
purpose, i.e. intend, of accessing, i.e. making use of, the client account data, and the server recognizes the 
purpose of the login request, which is for login to client account data, since the server Validates the 
request and provides a list of accessible accounts. Therefore, the login request has a recognized intention. 
Chen's teachings of a login request to make use of client account data meets the scopes of "a request for 
intended use of client specific information". 
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2) Regarding claim 15, Chen's login request does not include a request for certain user-specific 
information, and access is not granted based on the intended use of data. Determining an access for an 
interested party is not the same as determining the intended use of the requested information. 

In response, as indicated in quoted sections (iii)-(iv) of Chen, the login request comprises user 
identification or authentication information, and the user identification or authentication information 
determines accessible client account data for the requesting interested party. The user identification or 
authentication information corresponds to the accessible client account data. Therefore, the login request, 
comprising the user identification or authentication information, is a request for certain client-specific 
information, wherein the "certain" client specific information is the client account data accessible by the 
user identification or authentication information. 

According to the above quoted section (iv) of Chen, the login request to access the client account 
data is validated. Access is granted based on the request for access, i.e. "make use", of the client account 
data. As explained earlier, the login request also has a purpose, i.e. intention, which is to access the client 
account data. The server recognizes the purpose of the login request, which is for login to client account 
data, since the server recognizes and validates the login request, and provides a list of accessible accounts. 
Therefore, validation, i.e. granting, of access to the interested party is based on the request's intend of 
access, i.e. make use of, the client account data, and thus, validation is based on "intended use of data". 

3) Regarding claim 15, Chen fails to disclose or teach, "comparing the generated intended use 
request with the determined allowed level of access". 

In response, Examiner respectfully disagrees that Chen fails to teach the feature of "comparing 
the generated intended use request with the determined allowed level of access". 
Chen further teaches, 
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v) "if a client user selects the access level assigned to a particular interested party for an 
aggregated account, the client terminal may in response display a list of possible access levels" 
(Paragraph 0172) 

According to quoted sections (iii) and (iv) of Chen, an interested party sends a login request to 
access client account data, and the login request is used determine a list of accounts of accessible by the 
requesting interested party. Although Chen does not explicitly use the term "comparing", it is essential 
that information in the login request such as the authentication or identification is compared to 
information about the requesting interested party registered at a server to match the interest party's 
information in the login request to the interest party's information at the server to identify accessible 
client accounts corresponding to the interested party's information. From quoted section (v), it is 
essential that information in the login request such as the authentication or identification is compared to 
information regarding the interested party at a server to identify .the access level assigned for the 
requesting interested party. 

4) Regarding claim 15, according to Chen et al, the server provides a list of potential interested 
parties whom the client may choose to grant account access. However, this list is not generated based on 
a request of the interested party nor is it generated in response to a request for certain user-specific 
information as recited in claim 15. 

In response, quoted section (iii) of Chen teaches of validating an interested party's login request, 
and Examiner's response to argument 1 showed that Chen teaches of determining an accessible client 
account and access level permitted by a user based on the login request. Chen's teachings suggest that a 
login request from an interested party without an access level assigned by a client user would be 
invalidated, and thus, the interested party's login request is "outside the allowed level of access". Chen 
further teaches, 

vi) "the client terminal may display a list of potential interested parties 1410 for whom the client 
user may choose to grant or deny account access. The list of potential interested parties 1410 
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may be provided by the application server along with an applet transmitted to the client terminal 
pursuant to client logon using the client terminal." (Paragraph 0175) 

vii) "New interested parties 1410 not named in the displayed list may be entered using the client 
terminal keyboard or other data entry device" (Paragraph 0176). 

According to quoted section (vi) and (vii) of Chen, the server may provide a list comprising of 
potential or new interested parties with an applet to the client user. Potential or new interested parties on 
the list do not have access to the client account data. This is evident since the client user has to approve 
account access for the potential or new interested parties on the list. Any previous login requests for 
access, i.e. intended use requests, by the potential or new interested parties on the list would be 
determined to be "outside of the allowed level of access" and access would be denied until access is 
granted the client user. The potential or new interested parties on the list desire access to the client user 
data. Otherwise, it would be rather pointless for a server to add a party to the list but the party is not 
interested or requesting access to the client account data. 

Chen's teachings may be interpreted such that a potential interested party submits a request login 
request to access the client account data. The login request is invalidated since the client user has not 
assigned client accounts to the potential interested party, i.e. "outside the allowed level of access". Since, 
the potential interested party desires access, Chen's teachings suggest that the potential interested party 
would be added to the list of potential or new interested parties, in response to the potential interested 
party's login request being invalidated, in order for the client user to be informed of the potential 
interested party and determine whether to grant access to the client account data. 

5) Regarding claim 15, nothing in Chen et al. teaches, suggests, or anticipates invoking a consent 
engine to inform the user of the client's request to access user-specific information and its intended use. 

In response, the feature of informing the user of the client's request to access user-specific" 
information and its intended use " is not found in claim 15 (underlined for emphasis). Claim 15 recites, 
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inter alia, "said consent engine informing the user of the client's request to access the certain user-specific 
information in the data store and inviting the user to permit or to deny the client's request to access the 
user-specific information in the data store". According to claim 15, the client is informed of a client's 
request to access the certain user-specific information but does not comprise a feature of informing the 
user of a client's intended use. 

. Chen teaches of presenting a client user a list of potential or new interested parties (Paragraphs 
01 75-1 76). The potential or new interested parties on the list do not have access to client account data 
until the client user approves account access for the potential or new interested parties on the list. Any 
login requests by the potential or new interested parties would be "outside the allowed level of access" 
permitted by the client user. By the presenting the list, the client user is informed of the potential or new 
interested parties that are "outside the allowed level of access" and desire access to the client account 
data, which meets the scopes of "informing the user of the client's request to access the certain user- 
specific information in the data store". 

6) Regarding claim 29, nothing in Chen et al. teaches, suggests or makes obvious a request to 
access certain of the user-specific information associated with the user, said request identifying an 
intended use by the client of the certain user-specific information. 

In response, Examiner respectfully disagrees that the features are not taught by Chen. It was 
shown that the American Heritage Dictionary, 2000, defines "access" as "a means of making use of or 
"the ability to make use of '. 

By sending the login request to access client account data (client account data considered as the 
claimed client-specific information), it is inherent that the login request is generated, and Chen teaches of 
generating a login request to access client account data. As shown by the American Heritage Dictionary, 
"access" is defined as "make use of, and based on the definition of "access", Chen's teachings can be 
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interpreted as generating a login request to make use of the client-specific information. The login 
request serves a intend of accessing, i.e. making use of, the client account data, and the server recognizes 
that the login request is for login to client account data by validating the request and providing a list of 
accessible accounts. Therefore, the login request has a recognized intention. Chen's of a request 
intended to access, i.e. make use of, client account data meets the scopes of "a request for intended use of 
client specific information". 

The login request comprises user identification or authentication information, and the user 
identification or authentication information is used to determine accessible client account data for the 
interested party. The user identification or authentication information corresponds to the accessible client 
account data. Therefore, the login request comprising the user identification or authentication 
information is a request for certain client-specific information, wherein the "certain" client specific 
information is the client account data allowable by the user identification or authentication information. 

7) Regarding claim 2, nothing in Chen et al. teaches, suggests or anticipates a consent engine 
generating an option list in response to the client's request for user-specific information having at least 
one entry therein based on the intended use by the client of the user-specific information. 

In response, in the Appeal Brief on page 10, under " 2. Consent engine ", the Appeal Brief recites, 
inter alia, "the present invention as recited in claim 2". Examiner will consider "claim 2" as a 
typographical mistake and consider claim 2 as claim 29. 

Quoted section (iii) of Chen teaches of validating an interested party's login request, and 
Examiner's response to argument 1 showed that Chen teaches of determining an accessible client account 
and access level permitted by a user based on the login request. Chen's teachings suggest that a login 
request from an interested party without an access level assigned by a client user would be invalidated, 
and thus, the interested party's login request is "outside the allowed level of access". 
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Above quoted section (vi)-(vii) of Chen teach of presenting a list of potential or new interested 
parties with an applet to a client user. The list has at least one entry of potential or new interested 
parties, and the client user has the option to grant or deny access to the interested parties on the list. Chen 
teaches of "generating an option list in having at least one entry". Regarding the feature of generating the 
option list in response to the client's request for user-specific information, in Chen, potential or new 
interested parties on the list do not have access to the client account data. This is evident since the client 
user has to approve account access for the potential or new interested parties on the list. Any previous 
login requests by the potential or new interested parties on the list would be determined to be "outside of 
the allowed level of access", and would need to be placed on the list for the client user to grant access to 
the client account data. Furthermore, the potential or new interested parties on the list desire access to the 
client user data. Otherwise, it would be rather pointless for a server to add a party to the list but the 
party is not interested or requesting access to the client account data. 

Chen's teachings may be interpreted such that a potential interested party submits a request login 
request to access the client account data. The login request is invalidated since the client user has not 
assigned client accounts to the potential interested party, i.e. "outside the allowed level of access". Since 
the potential interested party desires access, Chen's teachings suggest that the potential or new interested 
party would be added to the list of potential or new interested parties, in response to the potential 
interested party's login request being invalidated, in order for the client user to be informed of potential 
interested party and determine whether to grant access to the client account data. 

8) Claims 3, 5, 6, 9-13, 30, and 32-37 depend directly or indirectly from claim 29 and are 
submitted to be patentable over Chen et al. for at least the same reasons as claim 29. 
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In response, Appellant does not introduce any new reasons for allowability of claims 3, 5, 6, 9-13, 
15m 30, 32-37, and 39. Claims 3, 5, 6, 9-13, 30, and 32-37 are not patentable for at least the same 
reasons as claim 29 and because of the rejection set forth in the Office action dated November 11, 2006. 

(11) Related Proceeding(s) Appendix 

No decision rendered by a court or the Board is identified by the examiner in the Related Appeals 
and Interferences section of this examiner's answer. 



For the above reasons, it is believed that the rejections should be sustained. 
Respectfully submitted, 
Joshua Joo /JJ/ 
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The American Heritage® Dictionary of the English Language: Fourth Edition. 2000. 



access 



SYLLABICATION: acxess 

PRONUNCIATION: <j „. , „ 
~ ~ ~ " ^ ak ses 

NOUN: i. a means of approaching, entering, exiting, communicating with, or 
making use of: a store with easy access. 2. The act of approaching. 3. 
The ability or right to approach, enter, exit, communicate with, or make 
use of: has access to the restricted area; has access to classified 
material. 4. Public access. 5. An increase by addition. 6. An outburst or 
onset: an access of rage. 

TRANSITIVE Inflected forms: accessed, access-ing, access-es 

VERB: t 0 0 b ta i n access to, especially by computer: used a browser to access a 
website; accessed her bank account online. 

ETYMOLOGY: Middle English acces, a coming to, from Old French, from Latin 

accessus, past participle of acctdere, to arrive : ad-, ad- + ctdere, to 
come; see ked- in Appendix I. 
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